In this Help Net Security interview, Jayson E. Street, Chief Adversarial Officer at Secure Yeti, discusses intriguing aspects of social engineering and unconventional methods for gathering target information.
Street explores the overlooked threat of physical security and the human tendency to neglect negative outcomes.
One of the most unconventional methods I use when doing research and recon for an engagement, especially the ones that involve me going on-site for a physical compromise, is to use the websites of the architects who did work on their building.
I'll go to their building management website because you will sometimes find blueprints and pictures showing what the inside of their building looks like.
Such detailed disclosure offered insights into how one might circumvent the building's physical security systems.
We all know that social media makes gathering information on your targets extremely easy.
Still, companies need to understand that it's not just social media that can be used against them; it's their partner's, those they've hired, and people they work with that can divulge information that could be detrimental to their cybersecurity and their perimeter security.
My main social engineering trick is just walking into a location like you belong there.
People underestimate how far confidence will get you into a location and how unsuspecting people are when they feel secure.
I've always said the only thing worse than no security is the false sense of security because it is tough to imagine something terrible will happen when you have that false sense of security.
One of the main tricks that I do when I am doing a phishing attack is not to tell them that something positive has happened.
People are very suspicious when they get an e-mail that something good has happened or will happen to them.
We often hear about software vulnerabilities, but physical intrusion is an overlooked threat for many organizations.
One of the key differences between software vulnerabilities and physical intrusions that many organizations often overlook is that software vulnerabilities have very defined and narrow vectors of attack.
The reason is they are limited by the network, the operating system, and the program that is being targeted.
With a physical intrusion, so many factors come into play, like the time of day, the location of the building itself, the security measures in place, and the people entrusted to maintain that security.
Unless we have no choice but to confront the truth that it is occurring, this flaw is very hard to overcome in most people.
While doing most of my engagements on-site, making a physical compromise, I encountered quite a few interesting situations.
Regrettably, many companies tend to focus more on the latest, buzzword-laden threats, rather than investing effort in implementing defensive measures, which, although they may seem mundane and challenging, are often far more effective in safeguarding the organization.
Ultimately, the practicality and effectiveness of these foundational security practices cannot be overstated in ensuring the company's protection.
This Cyber News was published on www.helpnetsecurity.com. Publication date: Mon, 08 Jan 2024 07:13:04 +0000